Author Topic: Requesting help please (Read 13696 times)

TylerDoom · « **on:** September 03, 2010, 10:24:37 PM »

There is something for sure on my PC, its been running slow, IE has been crashing a lot and windows even display a message saying its probaly because of a Malicious add on, I can't seem to find whatever this is, also I am not very wise when it comes to this kind of thing, so any help from a site pro will be appreciated muchly.

I have McAfee Security Center and its been running EXTREMELY slow.. It almost takes 20 hours for it to complete the regular scan.. And it also starts it automaticly every 3-5 days, informing me I havent run a scan in the last 30 days.

I also have and ran in the order and on the settings the sticky thread said to:

CCleaner
SUPERAntiSpyware
Malwarebytes' Anti-Malware
And now HiJackThis,
Also I have Spybot S&D which I run 3-4 times a month..

I ran all the ones I had a week prior to now (all but CCleaner and HiJackThis), and several times in the past, and it found a few things every once in awhile, but never had any red items or anything that SEEMED that bad..

So here is my logs in order, and I hope this is enough info to get some help from a pro... I deffinately appreciate the time of anyone that helps..

Thank you very much ahead of time.

EDIT: I just now see that I am not to post logs unless requested by the pro's.. So I have all three of them ready if you need to see them. Thanks.

TylerDoom · « **Reply #1 on:** September 04, 2010, 11:00:51 AM »

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/03/2010 at 10:58 PM

Application Version : 4.42.1000

Core Rules Database Version : 5454
Trace Rules Database Version: 3266

Scan type : Complete Scan
Total Scan Time : 02:29:44

Memory items scanned : 712
Memory threats detected : 0
Registry items scanned : 8153
Registry threats detected : 1
File items scanned : 144432
File threats detected : 0

System.BrokenFileAssociation
HKCR\.exe

_______________________________

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4539

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18943

9/3/2010 11:17:36 PM
mbam-log-2010-09-03 (23-17-36).txt

Scan type: Quick scan
Objects scanned: 134689
Time elapsed: 6 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

_______________________________________ ______

TylerDoom · « **Reply #2 on:** September 04, 2010, 11:03:40 AM »

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:26:19 PM, on 9/3/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\PixArt\Pac207\Monitor.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Windows\system32\conime.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\Sniper.exe\sniper.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O1 - Hosts: ::1 localhost
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PAC207_Monitor] C:\Windows\PixArt\PAC207\Monitor.exe
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [PoivY] "C:\Program Files\PoivY.com\PoivY\PoivY.exe" -nosplash -minimized
O4 - HKCU\..\Run: [SipDiscount] "C:\Program Files\SipDiscount.com\SipDiscount\SipDiscount.exe" -nosplash -minimized
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/mjss/MJSS.cab109791.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Empowering Technology Service (ETService) - Unknown owner - C:\Program Files\EMACHINES\eMachines Recovery Management\Service\ETService.exe
O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9046 bytes

EDIT: I just now see that I am not to post logs unless requested by the pro's.. So I have all three of them ready if you need to see them. Thanks.

TylerDoom · « **Reply #3 on:** September 06, 2010, 09:40:29 PM »

Also I cannot uninstall "DivX".. I hope I posted my info and request properly.. I don't know whats the problem with my PC.. Thanks anyone that can help.

SuperDave · « **Reply #4 on:** September 07, 2010, 05:39:13 PM »

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. I am working under the guidance of one of the specialist of this forum so it may take a bit longer to process your logs.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

Download ComboFix by sUBs from one of the below links.

Important! You MUST save ComboFix to your desktop

link # 1
Link # 2

Temporarily disable your Anti-virus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on ComboFix.exe & follow the prompts.

Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.

Post the contents of that log in your next reply.

Remember to re-enable your Anti-virus and Antispyware protection when ComboFix is complete.

TylerDoom · « **Reply #5 on:** September 07, 2010, 09:28:27 PM »

This is the info windows still tells me after IE crashes, just in case I didnt explain things well:

"What is Data Execution Prevention?

Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and other authorized programs. These types of attacks can harm your programs and files.

DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you."

Here is the log:

ComboFix 10-09-07.01 - Tyler 09/07/2010 22:13:44.2.2 - x86
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.1.1033.18.3070.1945 [GMT -5:00]
Running from: c:\users\Tyler\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Outdated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\%appdata%

.
(((((((((((((((((((((((((   Files Created from 2010-08-08 to 2010-09-08 )))))))))))))))))))))))))))))))
.

2010-09-08 03:34 . 2010-09-08 03:37   --------   d-----w-   c:\users\Tyler\AppData\Local\temp
2010-09-08 03:34 . 2010-09-08 03:34   --------   d-----w-   c:\users\Public\AppData\Local\temp
2010-09-08 03:34 . 2010-09-08 03:34   --------   d-----w-   c:\users\Default\AppData\Local\temp
2010-09-04 04:22 . 2010-09-04 04:24   --------   d-----w-   c:\program files\Trend Micro
2010-09-04 01:11 . 2010-09-04 01:11   --------   d-----w-   c:\program files\CCleaner
2010-09-01 14:16 . 2010-04-29 20:39   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-01 14:16 . 2010-09-01 14:16   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2010-09-01 14:16 . 2010-04-29 20:39   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-08-31 23:22 . 2010-08-31 23:22   --------   d-----w-   c:\program files\The Weather Channel FW
2010-08-31 23:21 . 2010-08-31 23:21   --------   d-----w-   c:\users\Tyler\AppData\Local\The Weather Channel
2010-08-31 16:04 . 2010-08-31 16:06   --------   d-----w-   c:\program files\QuickTime
2010-08-31 16:04 . 2010-08-31 16:04   --------   d-----w-   c:\programdata\Apple Computer
2010-08-28 06:50 . 2010-08-28 07:00   --------   d-----r-   c:\program files\SCHTHACK Phantasy Star Online Blue Burst
2010-08-19 16:55 . 2010-08-19 16:55   --------   d-----w-   c:\programdata\NVIDIA Corporation
2010-08-19 16:52 . 2010-07-09 22:37   56936   ----a-w-   c:\windows\system32\OpenCL.dll
2010-08-19 16:52 . 2010-07-09 22:37   11008040   ----a-w-   c:\windows\system32\drivers\nvlddmkm.sys
2010-08-19 16:52 . 2010-07-09 22:37   5107816   ----a-w-   c:\windows\system32\nvwgf2um.dll
2010-08-19 16:52 . 2010-07-09 22:37   14092904   ----a-w-   c:\windows\system32\nvoglv32.dll
2010-08-19 16:52 . 2010-07-09 22:37   2892904   ----a-w-   c:\windows\system32\nvcuvid.dll
2010-08-19 16:52 . 2010-07-09 22:37   2506344   ----a-w-   c:\windows\system32\nvcuvenc.dll
2010-08-19 16:52 . 2010-07-09 22:37   4553832   ----a-w-   c:\windows\system32\nvcuda.dll
2010-08-19 16:52 . 2010-07-09 22:37   236136   ----a-w-   c:\windows\system32\nvcod1922.dll
2010-08-19 16:52 . 2010-07-09 22:37   236136   ----a-w-   c:\windows\system32\nvcod.dll
2010-08-19 16:52 . 2010-07-09 22:37   10267240   ----a-w-   c:\windows\system32\nvcompiler.dll
2010-08-19 16:50 . 2010-08-19 16:50   --------   d-----w-   c:\program files\SystemRequirementsLab
2010-08-11 18:26 . 2010-06-18 17:31   36864   ----a-w-   c:\windows\system32\rtutils.dll
2010-08-11 18:26 . 2010-06-08 17:35   3600768   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2010-08-11 18:26 . 2010-06-08 17:35   3548040   ----a-w-   c:\windows\system32\ntoskrnl.exe
2010-08-11 18:26 . 2010-06-11 16:15   1248768   ----a-w-   c:\windows\system32\msxml3.dll
2010-08-11 18:26 . 2010-06-18 15:04   302080   ----a-w-   c:\windows\system32\drivers\srv.sys
2010-08-11 18:26 . 2010-06-18 15:04   144896   ----a-w-   c:\windows\system32\drivers\srv2.sys
2010-08-11 18:26 . 2010-06-16 16:04   905088   ----a-w-   c:\windows\system32\drivers\tcpip.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-08 03:37 . 2009-08-25 07:06   36917   ----a-w-   c:\programdata\nvModes.dat
2010-09-08 03:36 . 2008-10-30 02:18   --------   d-----w-   c:\programdata\NVIDIA
2010-09-04 06:21 . 2009-08-25 08:21   --------   d-----w-   c:\program files\OpenAL
2010-09-04 01:17 . 2010-01-13 00:56   --------   d-----w-   c:\programdata\Spybot - Search & Destroy
2010-09-04 01:09 . 2009-04-17 07:05   --------   d-----w-   c:\programdata\Viewpoint
2010-08-30 13:59 . 2010-03-10 02:19   --------   d-----w-   c:\program files\McAfee
2010-08-28 15:22 . 2010-01-12 22:07   --------   d-----w-   c:\program files\SUPERAntiSpyware
2010-08-28 06:56 . 2010-05-17 18:13   --------   d-----w-   c:\program files\Apple Software Update
2010-08-25 03:32 . 2010-08-25 03:32   --------   d-----w-   c:\program files\LSI SoftModem
2010-08-19 16:57 . 2009-08-25 07:02   --------   d-----w-   c:\program files\NVIDIA Corporation
2010-08-12 08:07 . 2008-10-30 02:41   --------   d-----w-   c:\program files\Microsoft Works
2010-08-12 08:01 . 2008-10-30 02:40   --------   d-----w-   c:\programdata\Microsoft Help
2010-08-12 08:01 . 2006-11-02 11:18   --------   d-----w-   c:\program files\Windows Mail
2010-07-30 20:52 . 2009-09-19 04:29   --------   d-----w-   c:\program files\Steam
2010-07-30 04:40 . 2009-12-13 05:24   1530368   ----a-w-   c:\windows\system32\_online.exe
2010-07-19 10:01 . 2010-07-19 09:57   --------   d-----w-   c:\users\Tyler\AppData\Roaming\SipDiscount
2010-07-19 09:53 . 2010-04-04 15:20   --------   d-----w-   c:\users\Tyler\AppData\Roaming\PoivY
2010-07-15 20:18 . 2010-03-10 02:20   130424   ----a-w-   c:\windows\system32\drivers\Mpfp.sys
2010-07-11 22:30 . 2010-05-23 08:45   --------   d-----w-   c:\programdata\DivX
2010-07-11 02:57 . 2009-07-15 06:12   --------   d-----w-   c:\program files\PKR
2010-07-10 06:08 . 2010-05-23 08:46   --------   d-----w-   c:\program files\DivX
2010-07-09 22:37 . 2009-08-17 05:57   604776   ----a-w-   c:\windows\system32\nvudisp.exe
2010-07-09 22:37 . 2008-11-04 20:34   9818728   ----a-w-   c:\windows\system32\nvd3dum.dll
2010-07-09 22:37 . 2008-10-30 02:29   1625192   ----a-w-   c:\windows\system32\nvapi.dll
2010-07-09 21:37 . 2010-07-09 21:37   1469544   ----a-w-   c:\windows\system32\nvsvc.dll
2010-07-09 21:37 . 2010-07-09 21:37   13939816   ----a-w-   c:\windows\system32\nvcpl.dll
2010-07-09 21:37 . 2010-07-09 21:37   129640   ----a-w-   c:\windows\system32\nvvsvc.exe
2010-07-09 21:37 . 2010-07-09 21:37   110696   ----a-w-   c:\windows\system32\nvmctray.dll
2010-07-07 18:46 . 2008-10-30 02:15   604776   ----a-w-   c:\windows\system32\NVUNINST.EXE
2010-06-26 06:05 . 2010-08-11 18:27   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-11 18:27   109056   ----a-w-   c:\windows\system32\iesysprep.dll
2010-06-26 06:02 . 2010-08-11 18:27   71680   ----a-w-   c:\windows\system32\iesetup.dll
2010-06-26 04:25 . 2010-08-11 18:27   133632   ----a-w-   c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-11 18:27   2037760   ----a-w-   c:\windows\system32\win32k.sys
2010-06-11 16:16 . 2010-08-11 18:27   274944   ----a-w-   c:\windows\system32\schannel.dll
2009-09-22 02:19 . 2009-09-22 02:02   608744450   ----a-w-   c:\program files\WarRock20081102.exe
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2010-04-16 818288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"RtHDVCpl"="RtHDVCpl.exe" [2008-07-23 6183456]
"Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-11 323584]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2010-01-07 158448]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"PAC207_Monitor"="c:\windows\PixArt\PAC207\Monitor.exe" [2007-12-11 323584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-08-10 421888]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-08-28 15:22   548352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2010-06-03 00:50   1144104   ----a-w-   c:\program files\DivX\DivX Update\DivXUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):37,a6,fa,1e,10,94,ca,01

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-992643091-3083304189-3454565884-1000]
"EnableNotificationsRef"=dword:00000001

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 cpuz130;cpuz130;c:\users\Tyler\AppData\Local\Temp\cpuz130\cpuz_x32.sys

R3 MRV6X32U;Linksys Wireless-N USB Network Adapter WUSB300N for Vista x86 (USB8x);c:\windows\system32\DRIVERS\WUSB300N.sys [2007-03-16 316672]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-17 2736890]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-08-28 12872]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 XDva310;XDva310;c:\windows\system32\XDva310.sys

R3 XDva317;XDva317;c:\windows\system32\XDva317.sys

R3 XDva321;XDva321;c:\windows\system32\XDva321.sys

R3 XDva327;XDva327;c:\windows\system32\XDva327.sys [2010-02-25 66248]
R3 XDva332;XDva332;c:\windows\system32\XDva332.sys

R3 XDva336;XDva336;c:\windows\system32\XDva336.sys

R3 XDva337;XDva337;c:\windows\system32\XDva337.sys

R3 XDva341;XDva341;c:\windows\system32\XDva341.sys

R3 XDva342;XDva342;c:\windows\system32\XDva342.sys

R3 XDva347;XDva347;c:\windows\system32\XDva347.sys

R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-07-28 721904]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-08-28 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-08-28 67656]
S2 ETService;Empowering Technology Service;c:\program files\EMACHINES\eMachines Recovery Management\Service\ETService.exe [2008-06-11 24576]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2010-05-20 88176]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-07-09 248936]
S3 PAC207;PC Camer@;c:\windows\system32\DRIVERS\PFC027.SYS [2008-02-13 618112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-10 18:22]

2010-09-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-03-10 18:22]

2010-09-08 c:\windows\Tasks\User_Feed_Synchronization-{03964399-1B3B-4881-A777-7585C7FC79E6}.job
- c:\windows\system32\msfeedssync.exe [2010-08-11 04:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&s=1&o=vp32&d=1208&m=et1161-07
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-SipDiscount - c:\program files\SipDiscount.com\SipDiscount\SipDiscount.exe
MSConfigStartUp-PoivY - c:\program files\PoivY.com\PoivY\PoivY.exe
AddRemove-LSI Soft Modem - c:\windows\agrsmdel

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-07 22:37
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\windows\TEMP\SEP65D.tmp 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5972)
c:\progra~1\mcafee\SITEAD~1\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\nvvsvc.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\agrsmsvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\system32\WUDFHost.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\conime.exe
c:\windows\system32\wbem\unsecapp.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Zune\ZuneNss.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2010-09-07 22:47:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-08 03:47
ComboFix2.txt 2010-01-13 02:53

Pre-Run: 133,440,774,144 bytes free
Post-Run: 133,402,669,056 bytes free

- - End Of File - - 3880DE0498D30419CEA4ADB665E31036

SuperDave · « **Reply #6 on:** September 08, 2010, 06:30:01 PM »

Quote

Also I cannot uninstall "DivX"..

You can try uninstalling it this way.

Delete An Uninstall Entry

•Start HijackThis

•Click on the Open the Misc Tools section

•Click on the Open Uninstall Manager button.

•Highlight the entry you want to remove. DivX
•Click Delete this entry
*******************************
You have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as Foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

More information:

* ViewMgr.exe - Useless
* Viewpoint to Plunge Into Adware

It is suggested to remove the program now. Go to Start > Control Panel > Add/Remove Programs - (Vista & Win7 is Programs and Features) and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player
* Viewpoint Toolbar
* Viewpoint Experience Technology

*********************************
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.
Once the scan is complete, you may receive another notice about rootkit activity.
Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

TylerDoom · « **Reply #7 on:** September 08, 2010, 11:12:43 PM »

Alright here is what happend.

First I tried to use HiJackThis to remove DivXsetup, and it didnt work.. When I click delete entry followed by the click on "yes" it does nothing, and the DivX is still on my PC.

Then Secondly after I tried that. I used the Rootkit program you suggested and it worked fine at first, no alert pop ups on start-up, so then I made sure all the boxes were check except for the "show all" box, then I clicked run scan...

It worked for about 2 minutes or less, then it stopped working, then the windows "program is not responding"
message popped up and it had to close...

Well then I tried to run it again, then before it started back up, my PC went to a blue screen.... Then it reset itself..

Now it started back up and i'm back to my desktop and I will wait to see what you say before taking any action.

Thank you very much for your Time SuperDave

SuperDave · « **Reply #8 on:** September 09, 2010, 04:00:12 PM »

Please try to run GMER this way.

Copy (Ctrl +C) and paste (Ctrl +V) the text in the code box below to Notepad.

Code: [Select]

@echo off
Copy /y gmer.exe ark.exe
Start ark.exe

Save it into the gmer folder as File name: ark.cmd
Save as type: All Files

Once done, double click ark.cmd to run it.

This should start GMER, follow the steps I have outlined earlier to save a log file, then post me the contents in your next reply.

TylerDoom · « **Reply #9 on:** September 09, 2010, 10:39:43 PM »

It ran fine this time, saved the log.. Then I tried to open it, and it went to blue screen again and reset... here is the log, thanks for ur time SD.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-09 23:57:39
Windows 6.0.6002 Service Pack 2
Running: ark.exe; Driver: C:\Users\Tyler\AppData\Local\Temp\uflyrpod.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateFile [0x8A99DC50]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateProcess [0x8A99DC7A]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0x8A99DCA2]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0x8A99DC64]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetContextThread [0x8A99DC3C]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetInformationProcess [0x8A99DC28]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0x8A99DCD1]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0x8A99DCB8]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0x8A99DC8E]
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwYieldExecution 828659D2 5 Bytes JMP 8A99DC92 \SystemRoot\system32\drivers\mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\services.exe[744] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 00210F6D
.text C:\Windows\system32\services.exe[744] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 002100B3
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 002100DF
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 00210F3E
.text C:\Windows\system32\services.exe[744] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 00210F92
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 0021001B
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 00210FCA
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 002100A2
.text C:\Windows\system32\services.exe[744] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 0021006C
.text C:\Windows\system32\services.exe[744] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 00210051
.text C:\Windows\system32\services.exe[744] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 00210FAF
.text C:\Windows\system32\services.exe[744] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 0021002C
.text C:\Windows\system32\services.exe[744] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 0021007D
.text C:\Windows\system32\services.exe[744] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 002100F0
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 00210FEF
.text C:\Windows\system32\services.exe[744] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 00210000
.text C:\Windows\system32\services.exe[744] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 002100C4
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 00200040
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 00200025
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 00200FEF
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 00200F9E
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 00200F83
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 00200FCA
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 0020000A
.text C:\Windows\system32\services.exe[744] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 00200FB9
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 001F0042
.text C:\Windows\system32\services.exe[744] msvcrt.dll!system 7722804B 5 Bytes JMP 001F0FB7
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 001F0FD9
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_open 7722D106 5 Bytes JMP 001F0000
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 001F0FC8
.text C:\Windows\system32\services.exe[744] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 001F0011
.text C:\Windows\system32\services.exe[744] WS2_32.dll!socket 77C636D1 5 Bytes JMP 00370FEF
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 000C00B3
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 000C0F6D
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 000C00DF
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 000C00CE
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 000C007D
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 000C000A
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 000C0FAF
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 000C0F88
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 000C006C
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 000C0040
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 000C005B
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 000C0025
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 000C008E
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 000C0F2D
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 000C0FD4
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 000C0FE5
.text C:\Windows\system32\lsass.exe[756] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 000C0F48
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 000B0FC0
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 000B0051
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 000B0FEF
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 000B006C
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 000B007D
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 000B002F
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 000B0014
.text C:\Windows\system32\lsass.exe[756] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 000B0040
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 000A0044
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!system 7722804B 5 Bytes JMP 000A0FB9
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 000A0029
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_open 7722D106 5 Bytes JMP 000A0FEF
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 000A0FD4
.text C:\Windows\system32\lsass.exe[756] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 000A0018
.text C:\Windows\system32\lsass.exe[756] WS2_32.dll!socket 77C636D1 5 Bytes JMP 0018000A
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 00730F4B
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 00730F5C
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 007300B6
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 00730F1F
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 00730F8B
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 0073000A
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 00730FB9
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 00730087
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 00730065
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 00730FA8
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 0073004A
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 0073002F
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 00730076
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 00730F0E
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 00730FD4
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 00730FE5
.text C:\Windows\system32\svchost.exe[948] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 00730F30
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 00180FA8
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!system 7722804B 5 Bytes JMP 00180FB9
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 00180FEF
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_open 7722D106 5 Bytes JMP 00180000
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 00180FDE
.text C:\Windows\system32\svchost.exe[948] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 00180029
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 00190FD4
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 0019005B
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 00190FEF
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 00190076
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 00190091
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 0019002F
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 00190014
.text C:\Windows\system32\svchost.exe[948] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 00190040
.text C:\Windows\system32\svchost.exe[948] WS2_32.dll!socket 77C636D1 5 Bytes JMP 00740FEF
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 008700AB
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 00870F65
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 00870F40
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 008700CD
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 00870075
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 0087002C
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 0087003D
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 00870F80
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 00870F9B
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 00870FAC
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 0087004E
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 00870FC7
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 00870090
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 008700E8
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 00870011
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 00870000
.text C:\Windows\system32\svchost.exe[1020] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 008700BC
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 002C0FB7
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!system 7722804B 5 Bytes JMP 002C0FD2
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 002C0027
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_open 7722D106 5 Bytes JMP 002C0000
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 002C0042
.text C:\Windows\system32\svchost.exe[1020] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 002C0FE3
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 00860F9E
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 0086002F
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 00860FEF
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 0086004A
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 00860F8D
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 00860FCD
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 00860FDE
.text C:\Windows\system32\svchost.exe[1020] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 0086001E
.text C:\Windows\system32\svchost.exe[1020] WS2_32.dll!socket 77C636D1 5 Bytes JMP 00880FEF
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 0135006C
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 01350F26
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 01350EF0
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 01350091
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 01350F52
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 0135001B
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 01350FC0
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 01350F41
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 01350F79
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 01350FA5
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 01350F94
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 0135002C
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 01350047
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 01350ED5
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 0135000A
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 01350FEF
.text C:\Windows\System32\svchost.exe[1060] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 01350F0B
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 01330F9C
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!system 7722804B 5 Bytes JMP 01330027
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 0133000C
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_open 7722D106 5 Bytes JMP 01330FEF
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 01330FB7
.text C:\Windows\System32\svchost.exe[1060] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 01330FD2
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 01340036
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 01340025
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 01340000
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 01340F94
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 01340F79
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 01340FCA
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 01340FE5
.text C:\Windows\System32\svchost.exe[1060] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 01340FB9
.text C:\Windows\System32\svchost.exe[1060] WS2_32.dll!socket 77C636D1 5 Bytes JMP 01430FE5
.text C:\Windows\System32\svchost.exe[1060] wininet.dll!InternetOpenA 7793D690 5 Bytes JMP 01360FEF
.text C:\Windows\System32\svchost.exe[1060] wininet.dll!InternetOpenW 7793DB09 5 Bytes JMP 01360FDE
.text C:\Windows\System32\svchost.exe[1060] wininet.dll!InternetOpenUrlA 7793F3A4 5 Bytes JMP 01360FC3
.text C:\Windows\System32\svchost.exe[1060] wininet.dll!InternetOpenUrlW 77986DDF 5 Bytes JMP 01360FB2
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 007100CE
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 007100BD
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 007100FA
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 007100E9
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 0071007D
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 00710025
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 00710FD4
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 00710F88
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 0071006C
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 00710040
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 0071005B
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 00710FC3
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 00710098
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 00710F52
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 0071000A
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 00710FEF
.text C:\Windows\System32\svchost.exe[1128] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 00710F6D
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 006B0F95
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!system 7722804B 5 Bytes JMP 006B0FA6
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 006B0016
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_open 7722D106 5 Bytes JMP 006B0FE3
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wcreat 7722D326 5 Bytes JMP 006B0FC1
.text C:\Windows\System32\svchost.exe[1128] msvcrt.dll!_wopen 7722D501 5 Bytes JMP 006B0FD2
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExA 776D39AB 5 Bytes JMP 006E0058
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyA 776D3BA9 5 Bytes JMP 006E003D
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyA 776D89C7 5 Bytes JMP 006E0000
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyW 776E391E 5 Bytes JMP 006E0FB6
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegCreateKeyExW 776E41F1 5 Bytes JMP 006E0073
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExA 776E7C42 5 Bytes JMP 006E001B
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyW 776EE2B5 5 Bytes JMP 006E0FDB
.text C:\Windows\System32\svchost.exe[1128] ADVAPI32.dll!RegOpenKeyExW 776F7BA1 5 Bytes JMP 006E002C
.text C:\Windows\System32\svchost.exe[1128] WS2_32.dll!socket 77C636D1 5 Bytes JMP 00730FEF
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoW 77811929 5 Bytes JMP 0172006C
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetStartupInfoA 778119C9 5 Bytes JMP 01720F26
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessW 77811BF3 5 Bytes JMP 01720F01
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateProcessA 77811C28 5 Bytes JMP 01720098
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!VirtualProtect 77811DC3 5 Bytes JMP 01720F5C
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeA 77812EF5 5 Bytes JMP 01720FB9
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateNamedPipeW 77815C0C 5 Bytes JMP 0172000A
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreatePipe 77838E6E 5 Bytes JMP 01720047
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExW 77839109 5 Bytes JMP 01720F6D
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryW 77839362 5 Bytes JMP 0172002C
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryExA 778394B4 5 Bytes JMP 01720F8A
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!LoadLibraryA 778394DC 5 Bytes JMP 0172001B
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!VirtualProtectEx 7783DBDA 5 Bytes JMP 01720F37
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!GetProcAddress 7785903B 5 Bytes JMP 01720EE6
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateFileW 7785AECB 5 Bytes JMP 01720FD4
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!CreateFileA 7785CE5F 5 Bytes JMP 01720FEF
.text C:\Windows\System32\svchost.exe[1220] kernel32.dll!WinExec 778A5CF7 5 Bytes JMP 01720087
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_wsystem 77227F2F 5 Bytes JMP 015B0040
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!system 7722804B 5 Bytes JMP 015B0FB5
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_creat 7722BBE1 5 Bytes JMP 015B0FC6
.text C:\Windows\System32\svchost.exe[1220] msvcrt.dll!_open&nb

SuperDave · « **Reply #10 on:** September 10, 2010, 04:08:59 PM »

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the

button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

Click on to download the ESET Smart Installer. Save it to your desktop.
Double click on the icon on your desktop.

•Check

•Click the

button.
•Accept any security warnings from your browser.
•Check

•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push

•Push

, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the

button.
•Push

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

TylerDoom · « **Reply #11 on:** September 10, 2010, 07:28:57 PM »

Here is the ESET log. Also, I still cannot uninstall DivX.

Thanks for your time SuperDave.

ESET Log:

C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM13.zip

Win32/Bagle.gen.zip worm   cleaned by deleting - quarantined
_______________________________________ ________________
C:\ProgramData\Spybot - Search & Destroy\Recovery\SweetIM40.zip

Win32/Bagle.gen.zip worm   cleaned by deleting - quarantined
_______________________________________ ________________
C:\Users\Tyler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\44\cb1f76c-392348b5

multiple threats   deleted - quarantined
_______________________________________ ________________
C:\Users\Tyler\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\58\5340ebba-2fe81f69

multiple threats   deleted - quarantined

SuperDave · « **Reply #12 on:** September 11, 2010, 06:32:47 PM »

How's your computer running now? Let's try to get rid of DivX this way. Don't post the log. Just tell me if it was removed.

Re-running ComboFix to remove infections:

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open notepad and copy/paste the text in the quotebox below into it:
Quote
KillAll::

Folder::
c:\program files\DivX
Save this as CFScript.txt, in the same location as ComboFix.exe
Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please post the contents of the log in your next reply.

TylerDoom · « **Reply #13 on:** September 11, 2010, 10:25:57 PM »

Hey again.. Ok, I did what you said and DivX is gone now. I had to delete the shortcuts but everything else appears to be gone. I havent been on this pc much yet using IE since the last scan so I am not certin if it won't crash anymore.. But I will test it out.

   Is there anything else you need me to do in the meantime? If not I'll reply here soon if anything bad happens, if not I'll still let ya know if things are better..

   Thanks a ton for all your time SuperDave, You have been an awesome help. Keep up the good work!

   Thanks again!

TylerDoom · « **Reply #14 on:** September 12, 2010, 07:07:12 AM »

Also my McAfee scan still runs extremely slow still... Its been on all night about 5 hours and its only at 29%... It'll probaly run all day too. I am wondering if this is caused by something else or if I should conctact McAfee about the problem..

Thanks for your time SuperDave

Computer Hope Forum

News:

Author Topic: Requesting help please (Read 13696 times)

TylerDoom

Requesting help please

TylerDoom

Re: Requesting help please

TylerDoom

Re: Requesting help please

TylerDoom

Re: Requesting help please

SuperDave

Re: Requesting help please

TylerDoom

Re: Requesting help please

SuperDave

Re: Requesting help please

TylerDoom

Re: Requesting help please

SuperDave

Re: Requesting help please

TylerDoom

Re: Requesting help please

SuperDave

Re: Requesting help please

TylerDoom

Re: Requesting help please

SuperDave

Re: Requesting help please

TylerDoom

Re: Requesting help please

TylerDoom

Re: Requesting help please